Kerio Control integrates Snort, an intrusion detection and prevention system (IDS/IPS) protecting the firewall and the local network from known network intrusions. In Kerio Con-trol, the system name is simplified for Intrusion Prevention (the name includes meaning of both functions — no prevention measures can be taken without detection).
What the intrusion prevention system is for and how it works
Network intrusion is undesirable network traffic impacting on functionality or security of the victim-host. Its purpose is mostly to get illegitimate access or/and to exploit fragile data.
A typical attribute of such intrusions is their apparent legitimacy and it is difficult to uncover such traffic and filter it simply out by traffic rules. Let us use DoS intrusion (Denial of Service) as an example. In this type of intrusion, too many connections are established on a port to use up the system resources of the server application so that no other users can connect there.
However, the firewall considers this act only as an access to an allowed port.
Therefore, sophisticated analysis of network traffic is needed here to detect network intrusions. Network intrusion detection systems use databases of known intrusions (this is similar to antivirus programs using databases of known viruses). Thanks to regular update of the database, new intrusion types are also recognized.
In the current version of Kerio Control, the intrusion prevention system works on all network interfaces included in the Internet Interfaces group (see chapter7). This implies that it detects and blocks network intrusions coming from the Internet, not from hosts in local networks or VPN clients (these hosts are considered as trusted).
For correct functionality of the intrusion prevention system, use of NAT is required (for details on NAT, see chapter 9.3). It can therefore be used for all typical configurations where Kerio Control is used for protection of local network. If Kerio Control is implemented as so called neutral router (without IP address translation), the intrusion prevention system will not work correctly.
Intrusion detection is performed before application of traffic rules (see chapter9) which avoids intervention of traffic rules with the detection process.
10.1 Network intrusion prevention system (IPS)
Intrusion prevention configuration in Kerio Control
The intrusion prevention system can be configured under Configuration → Traffic Policy → Intrusion Prevention.
Detection of known intrusion types
Kerio Control distinguishes three levels of intrusion severity:
• High severity — activity where probability that it is an intrusion attempt is very high (e.g. Trojan horse network activity).
• Medium severity — activities considered as suspicious and possibly harmful where there is a certain chance the traffic may be legitimate (e.g. traffic by a non-standard protocol on the standard port of another protocol).
• Low severity — suspicious network activities which do not indicate immediate security threat (e.g. port scanning).
For each severity level, one of the following actions can be set:
• Log and drop — information about the detected activity will be recorded in the Security log (see chapter24.11) and the particular network traffic will be blocked.
• Log — detected activity will be only recorded in the Security log,
• No action — the detected activity will be ignored.
Default and recommended settings for individual intrusion severity levels:
• High severity → Log and drop,
• Medium severity → Log,
• Low severity → No action (in case that there is a suspicion of too many false alarm cases, see also Advanced settings).
Functionality of the intrusion prevention system can be tested by clicking on the link on a special web page on one of the Kerio Technologies servers. Upon startup of the test, three fake harmless intrusions of high, middle and low severity will be sent to the client’s address (i.e. to the IP address of your firewall). The test script then evaluates whether the firewall let the intrusion attempts in or blocked them. The Security log will also include three corresponding records informing of whether the firewall blocked, only logged or ignored the intrusions (for details, see chapter24.11).
Note:
This test is designed only for purposes of the intrusion prevention system built in Kerio Control. It cannot be used for testing of other IDS/IPS.
Use of known intruders databases (blacklists)
In addition to detection of known intrusion types, it is also possible to detect and block traffic from IP addresses listed in web databases of known intruders (so called black-lists). In this case, all traffic from the IP address is logged and possibly blocked. Such method of detection and blocking of intruders is much faster and also less demanding than detection of individual intrusion types. However, there are also some disadvantages of this method. Blacklists cannot include IP addresses of all possible intruders as the
detected intrusions:
• Log and drop — information about the detected traffic and blocked IP address will be recorded in the Security log and any network traffic from that IP address will be blocked.
• Log — information about the detected traffic and blocked IP address will be only recorded in the Security log,
• No action — the detected blacklisted IP address will not be considered as an intruder.
Note:
Kerio Control does not include the option of custom blacklist adding.
Update of intrusions and known intruders databases
For correct functionality of the intrusion detection system, it is necessary to update databases of known intrusions and intruder IP addresses regularly. Kerio Control allows to set an interval for regular automatic updates (the default value is 24 hours) and it is also possible to perform an immediate update if needed (e.g. after a longer electricity supply outage). Under usual circumstances there is no reason to disable automatic updates — non-updated databases decrease effectivity of the intrusion prevention system.
Warning:
For update of the databases, a valid Kerio Control license or a registered trial version is required. For details see chapter5.
Advanced forwarding
Kerio Control allows to set advanced parameters for the intrusion prevention system. These parameters can increase effectivity of the intrusion prevention system and help avoid so called false positives. However, it is recommended not to change these parameters unless you are absolutely sure about the values!
Ignored intrusions
In some cases, legitimate traffic may be detected as an intrusion. If this happens frequently or even regularly, it may be helpful to define an exception for the particular intrusion. Exceptions are defined by adding the rule ID number in the list. Identifier of the rule can be found in the Security log (see chapter 24.11), or in the Snort system documentation (http://www.snort.org/).
Note:
Exceptions are helpful only in cases where legitimate traffic is detected as an intrusion repeatedly or even better regularly. It may be harmful to define exceptions after the first time such a problem is detected.