Set up intrusion prevention

Enable the intrusion prevention module and monitor network traffic for exploits using Detect mode. When you are satisfied with how your intrusion prevention rules are assigned, switch to Protect mode.

  1. Enable intrusion prevention in Detect mode
  2. Test intrusion prevention
  3. Apply recommended rules
  4. Monitor your system
  5. Enable 'fail open' for packet or system failures
  6. Switch to prevent mode
  7. Implement best practices for specific rules
CPU usage and RAM usage varies by your IPS configuration. To optimize IPS performance on Deep Security Agent, see Performance tips for intrusion prevention.

For an overview of the intrusion prevention module, see Block exploit attempts using intrusion prevention.

Enable intrusion prevention in Detect mode

Enable intrusion prevention and use Detect mode for monitoring. Configure intrusion prevention using the appropriate policies to affect the targeted computers. You can also configure individual computers.

  1. Go to Computer or Policy editorClosedYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Intrusion Prevention > General.
  2. For Configuration, select either On or Inherited (On).
    Screenshot of Intrusion Prevention settings in Computer editor
  3. For Intrusion Prevention Behavior, select Detect.
  4. With Deep Security Agent 11.1 and earlier, the Intrusion Prevention module inspects traffic that passes through the host computer's network interface to containers. With Deep Security Agent 11.2 or later, it can also inspect traffic between containers. When the Scan container network traffic setting is set to Yes, Deep Security scans the traffic that goes through both containers and hosts. When it is set to No, Deep Security scans only the traffic that goes through the host network interface.
  5. Click Save.
If the behavior settings are not available, Network Engine Mode may be set to Tap. (See Test Firewall rules before deploying them.)

For more fine-grained control, when you assign intrusion prevention rules, you can override the global behavior mode and configure specific rules to either prevent or detect. (See Override the behavior mode for a rule.)

Test intrusion prevention

You should test that the intrusion prevention module is working properly before continuing with further steps.

  1. If you have an agent-based deployment, make sure you have a computer that has an agent running. For an agentless deployment, make sure your Deep Security Virtual Appliance is running normally.
  2. Turn off the web reputation module. In Deep Security Manager, click Computers, then double-click the computer where you'll test intrusion prevention. In the computer's dialog box, click Web Reputation, and select Off. Web reputation is now disabled and won't interfere with the intrusion prevention functionality.
  3. Make sure bad traffic is blocked. Still in the computer's dialog box, click Intrusion Prevention, and under the General tab, select Prevent. (If it is shaded, set the Configuration drop-down list to Inherited (On).)
  4. Assign the EICAR test policy. Still in the computer's dialog box, click Intrusion Prevention. Click Assign/Unassign. Search for 1005924. The 1005924 - Restrict Download of EICAR Test File Over HTTP policy appears. Select its check box and click OK. The policy is now assigned to the computer.
  5. Try to download the EICAR file (you can't, if intrusion prevention is running properly). On Windows, go to this link: http://www.eicar.org/download/eicar.com.txt. On Linux, enter this command: curl -O http://www.eicar.org/download/eicar.com
  6. Check the intrusion prevention events for the computer. Still in the computer's dialog box, click Intrusion Prevention > Intrusion Prevention Events. Click Get Events to see events that have occurred since the last heartbeat. An event appears with a Reason of 1005924 - Restrict Download of EICAR Test File Over HTTP. The presence of this event indicates that intrusion prevention is working.
  7. Revert your changes to return your system to its previous state. Turn on the Web Reputation module (if you turned it off), reset the Prevent or Detect option, and remove the EICAR policy from the computer.

Apply recommended rules

To maximize performance, minimize the number of intrusion prevention rules that are assigned to your policies and computers. Therefore, you should assign only the rules that are required. Use a recommendation scan to obtain a list of rules that are appropriate.

Although recommendation scans are performed for a specific computer, you can assign the recommendations to a policy that the computer uses.

For more information, see Manage and run recommendation scans.

  1. Open the properties for the computer to scan. Run the recommendation scan as described in Manually run a recommendation scan.
    Do not automatically assign the recommended rules.
  2. Open the policy to which you want to assign the rules, and complete the rule assignments as described in Check scan results and manually assign rules.

To automatically and periodically fine tune your assigned intrusion prevention rules, you can schedule recommendation scans. See Schedule Deep Security to perform tasks.

Monitor your system

After you apply intrusion prevention rules, monitor system performance and intrusion prevention event logs.

Monitor system performance

Monitor CPU, RAM, and network usage to verify that system performance is still acceptable. If not, you can modify some settings and deployment aspects to improve performance. (See Performance tips for intrusion prevention.)

Check intrusion prevention events

Monitor intrusion prevention events to ensure that rules are not matching legitimate network traffic. If a rule is causing false positives you can unassign the rule. (See Assign and unassign rules.)

To see intrusion prevention events, click Events & Reports > Intrusion Prevention Events.

Enable 'fail open' for packet or system failures

The intrusion prevention module includes a network engine that might block packets before intrusion prevention rules can be applied. This might lead to downtime or performance issues with your services and applications. You can change this behavior so that packets are allowed through when system or internal packet failures occur. For details, see Enable 'fail open' behavior.

Switch to prevent mode

When you are satisfied that intrusion prevention is not finding false positives, configure your policy to use intrusion prevention in Prevent mode so that rules are enforced and related events are logged.

  1. Go to Computer or Policy editorClosedYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Intrusion Prevention > General.
  2. For Intrusion Prevention Behavior, select Detect.
  3. Click Save.

Implement best practices for specific rules

HTTP Protocol Decoding rule

The HTTP Protocol Decoding rule is the most important rule in the "Web Server Common" Application Type. This rule decodes the HTTP traffic before the other rules inspect it. This rule also allows you to control various components of the decoding process.

This rule is required when you use any of the Web Application Common or Web Server Common rules that require it. The Deep Security Manager automatically assigns this rule when it is required by other rules. As each web application is different, the policy that uses this rule should run in Detect mode for a period of time before switching to Prevent mode to determine if any configuration changes are required.

Quite often, changes are required to the list of illegal characters.

Refer to the following Knowledge Base articles for more details on this rule and how to tune it:

Cross-site scripting and generic SQL injection rules

Two of the most common application-layer attacks are SQL injection and cross-site scripting (XSS). Cross-site scripting and SQL injection rules intercept the majority of attacks by default, but you may need to adjust the drop score for specific resources if they cause false positives.

Both rules are smart filters that need custom configuration for web servers. If you have output from a Web Application Vulnerability Scanner, you should leverage that information when applying protection. For example, if the user name field on the login.asp page is vulnerable to SQL injection, ensure that the SQL injection rule is configured to monitor that parameter with a low threshold to drop on.

For more information, see https://success.trendmicro.com/solution/1098159

Apply NSX security tags