Control,Kerio,Security
2013/07/05
You may never have even looked at IPS in Kerio Control and you may never need to. The default configuration is all that most users need and it updates itself regularly and automatically, so it is easy to forget that it's even there.
There are some areas you might want to consider adjusting, or at least know something about, so let's take a quick spin through it.
Snort
The Kerio IPS (Intrusion Prevention System) uses Snort to make decisions about possibly undesirable network activity. Note that this is outside activity: it looks at activity coming from network interfaces included in the Internet Interfaces group, not from local networks or VPN clients.
There are rules and blacklists:
You can find the rules in /opt/kerio/winroute/snort/rules/used.rules. Here's an example rule:
If you want to know more about Snort, see The Snort Cookbook and The Snort User's Manual.
Note that IPS is performed BEFORE your traffic rules - you can't bypass these with traffic rules. Finally, you must be using NAT. That's the normal and default use of Kerio Control, but you should be aware that IPS doesn't work if you are not using NAT for inside addresses.
The default configuration for these IPS rules is to log and drop high severity incidents, only log medium severity, and do nothing about the low severity rules.
Many of these threats may already be patched by your operating system.. For example, consider this log entry:
If you are running any sort of anti-virus/anti-malware software on your computers, that software is likely already very aware of that threat and is prepared to block it. So why bother with these IPS rules?
Well, your computer software may be out of date, perhaps because you just haven't had a convenient moment to do the update. The Kerio Control IPS updates itself automatically and as often as you say - by default every 24 hours, but you can make that as often as every hour if you wanted to.
Automatic updates are incremental. To force a full update, click Shift and the Update link.
If you want to see what that rule actually is, search for "2008411" in /opt/kerio/winroute/snort/rules/used.rules.
Testing the IPS
If you look in your Security log, you'll likely find IPS entries - the attacks are very common. If you have been blessed with incredibly good luck and see nothing, you can test the IPS system by clicking on "test these settings" link:
If a rule is being triggered that you do NOT want to use, you can disable it in the Advanced section:
You only have to put in the sid number ("2008411" in the example above). Kerio will add the "1:"
The other part of Advanced is for protocol specific rules. Tht is, some rules refer to http like this:
If you are accessing some website on a non-standard port (the expected ports are 80, 8000 - 8080 and 3128), you can add it here.
Blacklists
The other part of IPS is blacklists maintained by Emerging Threats. If you click on one of these, you'll go to the page that describes the list:
You might wonder (as I have) why the Russian Business Network default is "Do nothing". That's probably because there are legitimate websites in those IP ranges. On the other hand, this entry from from Wikipedia might be a part of it also:
The RBN has been described by VeriSign as "the baddest of the bad". It offers web hosting services and internet access to all kinds of criminal and objectionable activities, with individual activities earning up to $150 million in one year. Businesses that take active stands against such attacks are sometimes targeted by denial of service attacks originating in the RBN network. RBN has been known to sell its services to these operations for $600 per month.
Apparently not the kind of people you want to upset..
Comments: Click Here.
Want to showcase your product to our audience? Check our advertising options.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them.
I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you
to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. If you have any question, please do feel free to contact me.
-
Samepage - Redefining how people create and share information
-
Kerio Mail Server, Firewall and more