Why already have a firewall but still need IDS/IPS?
IDS/IPS is the intrusion prevention/detection system.
The firewall only blocks ingress to ports that the system does not service for connections originating from the outside, but it does not prevent ingress to such ports for connections originating from the inside when the user or system requests an external service (unless do not use the services). The Trojan can then follow that flow to infiltrate the system.
This mainly happens to the client because the client is completely using external services.
A server can configure a firewall to completely prevent traffic from entering unwanted ports. However, there are some situations where the server needs to use external services, typically:
• A nameserver requires recursive name resolution
• A server updates anti-virus database
• A mail server updates anti-spam database
The IDS/IPS system analyzes network traffic to make verdict, the goal is to prevent or detect malicious packets that have passed through the firewall. The IDS/IPS system as the name suggests has two functions: IDS and IPS. It is an IDS when operating in tap mode and an IPS when operating in inline mode.
Tap mode is more feasible when false positives exist, and is simple in setup. When detecting positive, the IDS system generates an alarm, then the administrator performs hardening such as tightening the firewall. For example, the IDS provides the following:
Given that the Internet-face zone is the public zone, the administrator can add a firewall rule as follows:
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" priority=-32768 source address="22.214.171.124/16" port port="53" protocol="udp" log prefix="MALWARE: " reject'
And keep it permanently:
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" priority=-32768 source address="126.96.36.199/16" port port="53" protocol="udp" log prefix="MALWARE: " reject' –-permanentShare on Twitter Share on Facebook Share on Linked In
There are currently no comments