IDS IPS

Print Friendly, PDF & Email

When you create a network where numerous machines are deployed, security is of paramount concern. With IDS/IPS, you can detect attacks. This detection implements a security layer to all communications and cordons your systems from unwanted intrusions or attack. You can also take actions like blocking the attacker’s IP for certain time, and send an alert message to the administrator.

Note
The IDS/IPS feature is available only in the clients with Microsoft Windows.

You can create different policies with varying IDS/IPS settings and apply them to the groups so that each has separate policies based on the requirement.
For FAQ about networking, see FAQ.

Configuring IDS/IPS

To configure policy for IDS/IPS, follow these steps:

  1. Create Container/feature policy for IDS/IPS.
  2. In the Host IDS/IPS section, enable IDS Rules by selecting the check box. By default, this option is selected.
  3. Select the Detect Port Scanning Attack check box, if required.
  4. You can add IP Port exceptions if required.
  5. Select the Detect DDOS (Distributed Denial of Service) Attack check box, if required.
  6. From the following options, select an action to be performed when attack is detected:
    • Block Attackers IP for … Minutes. By default, this option is selected and 5 minutes are set. Select the time, if required.
    • Display alert message when attack is detected. This option helps you to take an appropriate action when attack is detected.
  7. To save your settings, click Save Policy.
    Importantly, if you have customized the settings and later you want to revert to the default settings, click the Reset Default button.

Customizing Port Scanning

You can customize settings for Detect Port Scanning Attack as follows:

  1. On IDS/IPS policy page, select the Detect Port Scanning Attack check box.
    The Customize link gets enabled.
  2. Click the Customize link.
    The Settings –Port Scanning dialog appears.
  3. Select one of the following levels:
    • Soft: Detect attack if many ports are scanned
    • Normal: Detect attack if multiple ports are scanned
    • Strict: Detect attack if few ports are scanned
    • Custom: Helps you customize the number of scanned ports and attack duration.
  4. To exclude an IP address you do not want to be scanned, click Add in the Excluded IP Addresses section.
  5. On the Add IP Address screen, type an IP Address or IP range and then click OK.
  6. To exclude a port that you do not want to be scanned, click Add from the Excluded Ports section.
  7. On the Add Port screen, type a Port or Port range and then click OK.

Customization for Distributed Denial of Service

You can customize settings for Detect DDOS (Distributed Denial of Service) Attack as follows:

  1. On IDS/IPS policy page, select the Detect DDOS (Distributed Denial of Service) Attack check box.
    The Customize link gets enabled.
  2. Click the Customize link.
    The Settings – Denial of Service dialog appears.
    Select one of the following levels:

    • Soft: Detect attack if many attacks are detected
    • Normal: Detect attack if multiple attacks are detected
    • Strict: Detect attack if few attacks are detected
    • Custom: Helps you customize the number of attack sources and attack duration.
  3. To exclude an IP address that you do not want to be scanned, click Add in the Excluded IP Addresses section.
  4. On the Add IP Address screen, type an IP Address or IP range and then click OK.
  5. To exclude a port that you do not want to be scanned, click Add in the Excluded Ports section.
  6. On the Add Port screen, type a port or port range and then click OK.

Creating the Exceptions

  1. In Exceptions section, the list of Exceptions appears.
  2. To create new exception, click Add.
  3. On the Add/Edit Exception screen, do the following.
    1. Type a name in the Exception Name text box
    2. Select a protocol. The protocol includes: TCP and UDP.
    3. Select one of the Direction from the following and click Next.
      • Inbound Connections
      • Outbound Connections
      • Inbound – Outbound Connections
    4. Click Next.
  4. Under Local IP Address, do one of the following,
    • Select the Any IP Addresses option, you need not type an IP address as all IP addresses will be allowed or blocked.
    • Select the IP address option and type the IP address. Click Add to add the IP address. You can add multiple IP addresses here.
      You can add up to 25 IP addresses per exception. However, the combined count of all IP addresses in all exceptions in a policy must be equal to or less than 255.
      You can delete the IP address with help of the Delete button.
      You can also import the IP addresses from a text file using the Import button. The maximum limit to import valid IP addresses is 25 per exception.
    • Select IP Address Range option. Enter Start IP Address and End IP Address.
  5. Click Next.
  6. Under Local TCP/UDP Ports, do one of the following,
    • Select the All Ports option to select all ports.
    • Select the Specific Ports option and type the port numbers. Use comma in between to add multiple ports.
    • Select the Port Range option. Enter Start Port Number and End Port Number.
  7. Click Next.
  8. Under Remote IP Address, do one of the following,
    • Select the Any IP Addresses option, you need not type an IP address as all IP addresses will be allowed or blocked.
    • Select the IP address option and type the IP address. Click Add to add the IP address. You can add multiple IP addresses here.
      You can add up to 25 IP addresses per exception. However, the combined count of all IP addresses in all exceptions in a policy must be equal to or less than 255.
      You can delete the IP address with help of Delete button.
      You can also import the IP addresses from a text file using Import button. The maximum limit to import valid IP addresses is 25 per exception.
    • Select IP Address Range option. Enter Start IP Address and End IP Address.
  9. Click Next.
  10. If you mention remote IP or port, that exception will be for outgoing communications.

  11. Under Remote TCP/UDP Ports, do one of the following,
    • The All Ports option is selected by default.
    • Select the Specific Ports option and type the port numbers. Use commas in between to add multiple ports.
    • Select the Port Range option. Enter Start Port Number and End Port Number.
  12. Click Next.
  13. Click Finish.
    The Exception is added at the top position in the Exceptions list. The sequence of the exceptions decides the precedence of the rule. The precedence is in descending order. You can move the exception rule with the Move Up and Move Down buttons.
  14. Click Save Policy.

Editing the Exceptions rule

You can edit the exceptions rule which are created by you. To edit the Exceptions rule, follow these steps:

  1. In Exceptions section, select the exception that you want to edit.
  2. On the Add/Edit Exception screen, you can edit the name in the Exception Name text box and edit the protocol. The protocol includes: TCP, and UDP.
  3. Edit Direction option if required.
  4. Click Next.
  5. Edit Local IP Address if required, and then click Next.
  6. Edit Local TCP/UDP Ports if required, and then click Next.
  7. Edit Remote IP Address if required, and then click Next.
  8. Edit Remote TCP/UDP Ports if required, and then click Next.
  9. Click Finish.
  10. Click Save Policy.

Deleting the Exceptions rule

You can delete the exceptions rule that you have created. To delete the Exceptions rule, follow these steps:

  1. In Exceptions section, select the exception that you want to delete.
  2. The action bar is enabled above the table. In the drop down, select Delete.
  3. Click Submit. The selected exception rule is deleted.
  4. Click Save Policy.

Exporting the Exceptions rule

You can export the exceptions rule that you have created. To export the Exceptions rule, follow these steps:

  1. In Exceptions section, select the exceptions that you want to export.
  2. Select Action > Export. The Opening ids_exception.json dialog appears.
  3. Select Save File.
  4. Click Ok.
    The database file, ids_exception.json is downloaded.

Importing the exceptions rule

You can import the exceptions rule that you have created in the earlier versions of EPS. To import the Exceptions rule, follow these steps:

  1. In Exceptions section, click Add > Import. The File Upload dialog appears.
  2. Select the database file, ids_exception.json.
  3. Click Open.
    The database file, ids_exception.json is imported.
Was this page helpful?

Leave a Comment