Administrator's Guide - Kerio Software Archive
Administrator's Guide - Kerio Software Archive Administrator's Guide - Kerio Software Archive
Firewall and Intrusion Prevention System • Log — detected intrusion will be only recorded in the Security log, • No action — the detected intrusion will be ignored. Default and recommended settings for individual intrusion severity levels: • High severity → Log and drop, • Medium severity → Log, • Low severity → No action (in case that there is a suspicion of too many false alarm cases, see also Advanced settings). Functionality of the intrusion prevention system can be tested by clicking on the link on a special web page on one of the Kerio Technologies servers. Upon startup of the test, three fake harmless intrusions of high, middle and low severity will be sent to the client’s address (i.e. to the IP address of your firewall). The test script then evaluates whether the firewall let the intrusion attempts in or blocked them. The Security log will also include three corresponding records informing of whether the firewall blocked, only logged or ignored the intrusions (for details, see chapter 22.11). Note: This test is designed only for purposes of the intrusion prevention system built in Kerio Control. It cannot be used for testing of other IDS/IPS. Use of known intruders databases (blacklists) In addition to detection of known intrusion types, it is also possible to detect and block traffic from IP addresses listed in web databases of known intruders (so called blacklists). In this case, all traffic from the IP address is logged and possibly blocked. Such method of detection and blocking of intruders is much faster and also less demanding than detection of individual intrusion types. However, there are also some disadvantages of this method. Blacklists cannot include IP addresses of all possible intruders as the intruders often use fake addresses. Blacklist also may include IP addresses of legitimate clients or servers. Therefore, it is possible to set the same actions for blacklists as for detected intrusions: • Log and drop — information about the detected traffic and blocked IP address will be recorded in the Security log and any network traffic from that IP address will be blocked. • Log — information about the detected traffic and blocked IP address will be only recorded in the Security log, • No action — the detected blacklisted IP address will not be considered as an intruder. Note: Kerio Control does not include the option of custom blacklist adding. Update of intrusions and known intruders databases For correct functionality of the intrusion detection system, it is necessary to update databases of known intrusions and intruder IP addresses regularly. Kerio Control allows to set an interval for regular automatic updates (the default value is 24 hours) and it is also possible to perform an immediate update if needed (e.g. after a longer electricity supply outage). Under usual circumstances there is no reason to disable automatic updates — non-updated databases decrease effectivity of the intrusion prevention 114
8.1 Network intrusion prevention system (IPS) system. Warning: For update of the databases, a valid Kerio Control license or a registered trial version is required. For details see chapter 4. Advanced Options Kerio Control allows to set advanced parameters for the intrusion prevention system. These parameters can increase effectivity of the intrusion prevention system and help avoid so called false positives. However, it is recommended not to change these parameters unless you are absolutely sure about the values! Figure 8.2 Intrusion prevention system advanced options 115
- Page 63 and 64: 6.1 Persistent connection with a si
- Page 65 and 66: 6.2 Connection with a single leased
- Page 67 and 68: 6.3 Connection Failover Advanced di
- Page 69 and 70: 6.3 Connection Failover Figure 6.8
- Page 71 and 72: 6.4 Network Load Balancing Note: 1.
- Page 73 and 74: 6.4 Network Load Balancing On the t
- Page 75 and 76: 6.4 Network Load Balancing Hint: Sp
- Page 77 and 78: Chapter 7 Traffic Policy Traffic Ru
- Page 79 and 80: 7.1 Network Rules Wizard Step 4 —
- Page 81 and 82: 7.1 Network Rules Wizard Figure 7.5
- Page 83 and 84: 7.1 Network Rules Wizard Note: In t
- Page 85 and 86: 7.3 Definition of Custom Traffic Ru
- Page 87 and 88: 7.3 Definition of Custom Traffic Ru
- Page 89 and 90: 7.3 Definition of Custom Traffic Ru
- Page 91 and 92: 7.3 Definition of Custom Traffic Ru
- Page 93 and 94: 7.3 Definition of Custom Traffic Ru
- Page 95 and 96: 7.3 Definition of Custom Traffic Ru
- Page 97 and 98: 7.4 Basic Traffic Rule Types Do not
- Page 99 and 100: 7.4 Basic Traffic Rule Types Figure
- Page 101 and 102: 7.4 Basic Traffic Rule Types Transl
- Page 103 and 104: 7.5 Policy routing 7.5 Policy routi
- Page 105 and 106: 7.6 User accounts and groups in tra
- Page 107 and 108: 7.7 Partial Retirement of Protocol
- Page 109 and 110: 7.8 Use of Full cone NAT as possibl
- Page 111 and 112: 7.9 Media hairpinning the port of t
- Page 113: 8.1 Network intrusion prevention sy
- Page 117 and 118: 8.2 MAC address filtering Figure 8.
- Page 119 and 120: 8.3 Special Security Settings Anti-
- Page 121 and 122: 8.4 P2P Eliminator Figure 8.5 Detec
- Page 123 and 124: 8.4 P2P Eliminator The Define servi
- Page 125 and 126: 9.1 DNS module of the firewall’s
- Page 127 and 128: 9.1 DNS module Figure 9.2 Editor of
- Page 129 and 130: 9.1 DNS module Figure 9.3 Specific
- Page 131 and 132: 9.2 DHCP server If the Do not forwa
- Page 133 and 134: 9.2 DHCP server Figure 9.5 DHCP ser
- Page 135 and 136: 9.2 DHCP server Figure 9.7 DHCP ser
- Page 137 and 138: 9.2 DHCP server Figure 9.9 DHCP ser
- Page 139 and 140: 9.2 DHCP server Leases IP scopes ca
- Page 141 and 142: 9.2 DHCP server Figure 9.13 DHCP se
- Page 143 and 144: 9.3 Dynamic DNS for public IP addre
- Page 145 and 146: 9.4 Proxy server Proxy Server Confi
- Page 147 and 148: 9.5 HTTP cache Note: The configurat
- Page 149 and 150: 9.5 HTTP cache other objects can be
- Page 151 and 152: 9.5 HTTP cache TTL TTL of objects m
- Page 153 and 154: Chapter 10 Bandwidth Limiter The ma
- Page 155 and 156: 10.2 Bandwidth Limiter configuratio
- Page 157 and 158: 10.2 Bandwidth Limiter configuratio
- Page 159 and 160: 10.3 Detection of connections with
- Page 161 and 162: 11.1 Firewall User Authentication T
- Page 163 and 164: 11.1 Firewall User Authentication a
8.1 Network intrusion prevention system (IPS)<br />
system.<br />
Warning:<br />
For update of the databases, a valid <strong>Kerio</strong> Control license or a registered trial<br />
version is required. For details see chapter 4.<br />
Advanced Options<br />
<strong>Kerio</strong> Control allows to set advanced parameters for the intrusion prevention system. These<br />
parameters can increase effectivity of the intrusion prevention system and help avoid so called<br />
false positives. However, it is recommended not to change these parameters unless you are<br />
absolutely sure about the values!<br />
Figure 8.2<br />
Intrusion prevention system advanced options<br />
115