Intrusion Prevention - Settings
Overview
Intrusion Prevention uses deep packet inspection (DPI) to check for and block threats (Malware, exploits against OS vulnerabilities, unwanted, etc) that are not always seen by traditional sources of protection such as Anti-Virus or Anti-Spyware software. It can also be used to stop the use of unwanted applications such as Internet Chat clients or Peer to Peer file sharing clients by workstations on the network.
Setup and Configuration
To configure IPS, click on Intrusion Prevention -> Settings in the Web Interface and click the "Enabled" checkbox.
You will then be presented with a variety of options to be configured.
Protected Networks
These are the networks that should be protected by IPS. You will want to make sure that your LAN network, WAN IP address, and the IP and subnet of any other networks you might have behind the unit are added here. Any VPN's or Remote networks that need access to the LAN should also be entered here.
Protected Computers
Intrusion Prevention uses rules in order to determine what type of traffic to scan for. By selecting the types of computers you have on your network, you can define which rules should and should not be loaded. If you do not have any Apple computers on your network, for instance, you would not need to check the checkbox for that style of computer. This will allow IPS to disable rules that pertain specifically to Macintosh as they would not be required. Check the checkbox next to each of the Computers/Operating Systems you currently have on your network.
Web servers
If you have Web servers behind your unit, you will want to check the "Enabled" checkbox and fill in the IP address of each of the web servers you have. If these web servers have a private (NAT'ed) IP address, that is the IP address you should use. You should also add the IP address that your DNS records for the web server are pointed to.
Choosing between Apache, IIS, Other, or Mixed will allow IPS to further tailor its rules towards your unique network setup. Mixed should be used if you have a combination of different types of web servers. Other should be used if the web server is not Apace or IIS.
Mail servers
If you have Mail servers behind your unit, you will want to check the 'Enabled' checkbox and fill in the IP address of each of the Mail servers you have. If these Mail servers have a private (NAT'ed) IP address, that is the IP address you should use. You should also add the IP address that your DNS records for the mail server are pointed to.
Network Policies
The Network Policies section allows you to block Internet Chat clients and Peer-to-peer file sharing clients from being allowed out to the Internet. Check the "Enabled" checkbox by each if you wish to block this type of traffic.
Responsiveness
IPS allows you to set it for 3 different levels of responsiveness depending on your requirements.
The 'Aggressive' response state will log all alerts and block all connections it considers to be attacks regardless of severity. The 'Normal' response state will log alerts while only blocking those attacks that are considered more severe. The 'Passive' response state logs only and does not block attacks.
What is blocked and what is not in any response state can be further tailored in the Action Profiles section.
Once everything has been configured, click the Apply button to save your settings.
*Note: Clicking apply re-writes all the active rules and action profiles. If you have made manual changes via the Action Profiles or Rules manager Menus, they will be overwritten if you click apply on the settings page after making changes. You will receive a warning message if this is going to occur.
