Intrusion prevention settings

The Intrusion Prevention module protects computers from being exploited by attacks against known and zero-day vulnerability attacks as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities. It shields vulnerabilities until code fixes can be completed. It identifies malicious software accessing the network and increases visibility into, or control over, applications accessing the network.

CPU usage and RAM usage varies by your IPS configuration. To optimize IPS performance on Deep Security Agent, see Performance tips for IPS.

The Intrusion Prevention section of the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). has the following tabbed sections:

General

Intrusion Prevention

You can configure this Policy or Computer to inherit its Intrusion Prevention On or Off state from its parent Policy or you can lock the setting locally.

Set the Intrusion Prevention behavior to "Prevent" or "Detect".

When first applying a new set of Intrusion Prevention Rules you can choose to set the Intrusion Prevention behavior to "Detect". When in Detect mode, the Intrusion Prevention engine will apply all the same Intrusion Prevention Rules to traffic but instead of dropping packets, it will only log an Event and let the traffic pass. Use this behavior to ensure the new Intrusion Prevention Rules will not interfere with legitimate traffic.

This setting only applies when the Network Engine is operating Inline; that is, live traffic is being streamed through the Deep Security network engine. The alternative to Inline mode is Tap mode, where the live traffic is cloned, and it is only this cloned traffic that is analyzed by the network engine. Prevent mode is impossible when in Tap Mode because the network engine does not control the live traffic stream.

To switch between Inline and Tap mode, open a Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). and go to Settings > Advanced > Network Engine Mode.

Assigned Intrusion Prevention Rules

Displays the Intrusion Prevention Rules that are in effect for this Policy or computer. To add or remove Intrusion Prevention Rules, click Assign/Unassign. This will display a window showing all available Intrusion Prevention Rules from which you can select or deselect Rules.

From a Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). window, you can edit an Intrusion Prevention Rule so that your changes apply only locally in the context of your editor, or you can edit the Rule so that the changes apply globally to all other Policies and Computers that are using the Rule.

To edit the Rule locally, select the Rule and click Properties or right-click the Rule and click Properties.

To edit the Rule globally, right-click the Rule and click Properties (Global).

Recommendations

Deep Security can perform regular Recommendation Scans which scan a computer and make recommendations about the application of various security Rules. Selecting this checkbox will automatically assign recommended rules for the computer and automatically unassign rules that are not required.

If you select this option, you should also opt to allow Deep Security Rule Updates to automatically assign new Intrusion Prevention Rules. Go to Administration > System Settings > Updates and select Automatically apply new Rule Updates to Policies in the Rule Updates area.

To schedule periodic Recommendation Scans, in the Deep Security Manager go to Administration > Scheduled Tasks and create a new Scheduled Task.

Advanced

Event Data

Allow Intrusion Prevention Rules to capture data for first hit of each rule (in period): Determines whether Deep Security will save the packet data which triggered an Intrusion Prevention Rule. This setting works in conjunction with the advanced Computer and policy editor settings that can be found in Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > Advanced > Advanced Network Engine Settings.

  • Log All Packet Data: Record the packet data for Events that are not associated with specific Firewall or Intrusion Prevention Rules. That is, log packet data for Events such as "Dropped Retransmit" or "Invalid ACK".
    Events that have been aggregated because of Event folding cannot have their packet data saved.
  • Log only one packet within period: If this option is enabled and Log All Packet Data is not, most logs will contain only the header data. A full packet will be attached periodically, as specified by the Period for Log only one packet within period setting.
  • Period for Log only one packet within period: When Log only one packet within period is enabled, this setting specifies how often the log will contain full packet data.
  • Maximum data size to store when packet data is captured:The maximum size of header or packet data to be attached to a log.

Rule Updates

Automatically assign new Intrusion Prevention Rules as required by updated Application Types and Intrusion Prevention Rule dependencies: Security Updates sometimes include new or updated Application Types and Intrusion Prevention Rules which require the assignment of secondary Intrusion Prevention Rules. This setting will allow Deep Security to automatically assign these Rules if they are required by the Application Types or Intrusion Prevention Rules that were assigned to a Policy or computer during a Security Update.

SSL Configurations (Computer editors only)

Deep Security Manager supports Intrusion Prevention analysis of SSL traffic. The SSL Configurations page allows you to create SSL Configurations for a given certificate-port pair on one or more interfaces. Certificates can be imported in P12 or PEM format and Windows computers have the option of using Windows CryptoAPI directly. Credential files must include the server's private key.

To create a new SSL Configuration, click New and follow the steps in the SSL Configuration wizard.

If the computer you are configuring is being installed on the computer hosting the Deep Security Manager, the wizard will let you use credentials already stored in the Deep Security Manager.

Double-click an existing configuration to display its Properties window.

Assignment

  • General Information: The name and description of the SSL configuration, and whether it is enabled on this computer.
  • Interface Assignments: Which interfaces this configuration is being applied to.
  • IP Assignment: Which IP(s) this configuration applies to.
  • Port Selection: Which port(s) this configuration applies to.

Credentials

The Credentials tab lists the current credentials, and has an Assign New Credentials button which lets you change them.

Filtering of SSL traffic is only supported by the Deep Security Agent, not the Deep Security Appliance. The Agent does not support filtering SSL connections on which SSL compression is implemented.

For information on setting up SSL filtering, see Inspect SSL traffic.

NSX Security Tagging

Deep Security can apply NSX Security Tags to protected VMs upon detecting a malware threat. NSX Security Tags can be used with NSX Service Composer to automate certain tasks, such as quarantining infected VMs. Consult your VMware NSX documentation for more information on NSX Security Tags and dynamic NSX Security Group assignment.

NSX Security tags are part of the VMware vSphere NSX environment and are not to be confused with Deep Security Event Tags. For more information on Deep Security Event Tagging, see see Apply tags to identify and group events.

Intrusion Prevention events have a severity level that is determined by the severity level of the Intrusion Prevention Rule that caused it.

The severity level of an Intrusion Prevention rule is configurable on the Rule Properties > General tab.

Intrusion Prevention rule severity levels map to NSX tags as follows:

IPS rule severity NSX security tag
Critical IDS_IPS.threat=high
High IDS_IPS.threat=high
Medium IDS_IPS.threat=medium
Low IDS_IPS.threat=low

You can configure the sensitivity of the tagging mechanism by specifying the minimum Intrusion Prevention severity level that will cause an NSX security tag to be applied to a VM.

The options for the Minimum rule severity to trigger application of an NSX Security Tag setting are:

  • Default (No Tagging): No NSX tag is applied.
  • Critical: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Critical is triggered.
  • High: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of High or Critical is triggered.
  • Medium: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Medium, High, or Critical is triggered.
  • Low: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Low, Medium, High, or Critical is triggered.

Separate settings are provided for Rules that are operating in Prevent mode and for Rules that operating in Detect-only mode.

Whether an IPS Rule is operating in Prevent or Detect-only mode is determined not only by the Intrusion Prevention module setting (Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Intrusion Prevention > General tab), but also by the configuration of the individual Rule itself (Rule Properties > General tab > Details).

Events

Log Inspection Events are displayed the same way as they are in the main Deep Security Manager window except that only Events relating to this Policy or specific computer are displayed.