Through the option “Create Profile” it is possible to create a new Intrusion Prevention profile. To access, click on the actions menu [].

1. Click on the “Create Profile” option;


Intrusion Prevention - Create Profile


2. The “Add Profile” screen will be displayed. Fill it with the following data:


Intrusion Prevention - Create Profile


Settings tab


In this tab it is possible to make the general configurations, definitions and the mode of action of Intrusion Prevention.


General


In "General" we have the following text boxes:



Intrusion Prevention – General


  • Name: Define a name for the profile. Ex.: Malware Prevention;
  • Description: Set a description for the profile. Ex.: Block Malwares;
  • Version: Determines the version in which the profile was created.


Mode


In "Mode" the applications are determined whose access will be allowed or denied:



Intrusion Prevention - Mode


  • Processes: Select the number of simultaneous processes to load the profile. Each process refers to a thread. We recommend that this value be “≤ less or Equal” to the number of processing cores in your Appliance. This field is mandatory.
  • Type: Select the IPS Operation Mode. The available types are: Firewall, Transparent and Passive;
    • Firewall: This mode works as a system of "Protection oriented to Network Assets" through the "Security Policies" it is possible to establish rules of protection against intruders "profiles" oriented for each "network service", "protocol" or even "security network ”directing packet traffic for analysis by the IPS;
    • TransparentThis mode works as a sniffer applied directly to the network interface. It uses a system of “capture, filtering and analysis of packets at high speed”. In simple terms, it is an acceleration agent that allows packets in a single interface to be segmented into multiple threads / cores, allowing for more efficient packet processing. Packages are inspected at a much lower level than traditional sniffer or package engines, thereby reducing resource costs and increasing the efficiency of your device.;

      Transparent mode support approved only in “Physical Appliances” models.

    • Passive: This mode works by monitoring the network and generating log "records" of all packages identified in your subscription base, regarding threats and attacks, taking no action on the malicious package. Operates in bypass mode.
  • Flow: This item is only required for configuration in “Transparent” mode. Select the packet targeting flow. The flow is determined by the input device of the packet. Ex.: Eth2 : Eth3;
  • Interface: This item is only required for configuration in “Passive” mode. Select the incoming packet flow network interface. Ex.: Eth2


In the Flow and Interface fields, the network interfaces must be “enabled” and without an IP address. As shown below:


Network Interfaces - Example


For more information on how to configure the interfaces check this page.
In addition, to avoid fragmentation, it may be necessary to increase the MTU values of the interfaces. For more information on this, see this page.


Definitions


In "Definitions" are determined the applications whose access will be allowed or denied:



Intrusion Prevention - Definitions


  • Enable client recommended rules []: Enabling this option enables the display of standard Blockbit ATP rules. These rules will be displayed on the client tab;
  • Enable server recommended rules []: Enabling this option enables the display of Blockbit's standard IPS rules. These rules will be displayed on the server tab;
  • Inspect all ports[]: Enables independent inspection of the port the application is running on.


Enabling the Inspect all Ports option limits the process of your network traffic.


Client Tab


When enabling the Enable client recommended rules [] option in the Settings tab, the Client tab will display the signatures as shown below:



Intrusion Prevention - Client


The signatures are divided as follows:


  • Status: Defines the current state of the subscription, the options are:
    • All;
    • Enabled;
    • Disabled;
    • Blocked;
    • Unblocked.
  • Quarantine: It is possible to enable or disable the quarantine option informing if it will be validated by source or destination IP. By enabling the quarantine option automatically, the system will enable the signature with the block status. With that, all traffic that matches the signature will dynamically insert the address into the quarantine in this way, keeping it blocked according to the time that was configured for quarantine;
  • Risk: Which determines the risk of the signature based on the criticality and complexity of the attack that can be of the types:
    • Low;
    • Medium;
    • High.
  • Category: Defines subscription groups that serve the same purpose;
  • Name / SID: This field allows you to determine the signature name in the system or the signature unique identifier (SID) or CVE code. It's also possible to search for the signatures that are in quarantine, enabled, disabled, among others;
  • Action []: It is possible to manipulate signatures that have been filtered, according to the following options:


    Intrusion Prevention - Actions


 To change the action of a specific subscription of the base, click on the [/] of "Status" and "Block" of the respective subscription that you want to "Enable / Disable".


 When activating the Enable client recommended rules or Enable server recommended rules checkbox in the Definitions tab, some SIDs will be highlighted, the SID in blue is the standard recommended by Blockbit (for example, when editing any of them, it will become gray).

See the example below, where third and fourth SID are highlighted:


Intrusion Prevention - Highlighted SID example


The system has a search panel where it can perform searches according to the information entered in the fields previously mentioned, for that, click on [].

Server Tab


When enabling the Enable server recommended rules [] option in the Settings tab, the Server tab will display the IPS signatures as shown below:



Intrusion Prevention - Server


As in the Client tab, signatures are divided as follows:


  • Status: Defines the current state of the subscription, the options are:
    • All;
    • Enabled;
    • Disabled;
    • Blocked;
    • Unblocked.
  • Quarantine: It is possible to enable or disable the quarantine option informing if it will be validated by source or destination IPBy enabling the quarantine option automatically, the system will enable the signature with the block status. With that, all traffic that matches the signature will dynamically insert the address into the quarantine in this way, keeping it blocked according to the time that was configured for quarantine;
  • Risk: Which determines the risk of the signature based on the criticality and complexity of the attack that can be of the types:
    • Low;
    • Medium;
    • High.
  • Category: Defines subscription groups that serve the same purpose;
  • Name / SID: This field allows you to determine the signature name in the system or the signature unique identifier (SID);
  • Action []: It is possible to manipulate signatures that have been filtered, according to the following options:


    Intrusion Prevention - Actions


 To change the action of a specific subscription of the base, click on the [/] of "Status" and "Block" of the respective subscription that you want to "Enable / Disable".


 When activating the Enable client recommended rules or Enable server recommended rules checkbox in the Definitions tab, some SIDs will be highlighted, the SID in blue is the standard recommended by Blockbit (for example, when editing any of them, it will become gray).

See the example below, where third and fourth SID are highlighted:


Intrusion Prevention - Highlighted SID example


The system has a search panel where it can perform searches according to the information entered in the fields previously mentioned, for that, click on [].

Restore button


If at any time you want to restore the profile and default settings of Blockbit, click on [], the following window will be displayed.


Intrusion Prevention - Do you really want to restore the profile to default?


Click the [] button to exit this window or the [] button to restore.


Profile restored


Finally, if you want to cancel click the [] button. To finish editing the applications click on the [] button.


Saved successfully


The settings have been successfully made.

  • No labels