Skip to content

Network Intrusion

Network Intrusion Prevention System(IPS) or sometimes known as Intrusion Detection System(IDS) provides deep packet inspection on traffic for known and zero-day vulnerability exploits.

The Valtix Network Intrusion engine leverages a TALOS database, the commercially managed version of Snort. Updates to the network intrusion database are available with a threat package subscription.

Step 1: Create IPS Profile

  1. Navigate to Manage -> Profiles -> Network Threats
  2. Click Create Intrusion Profile
  3. Select Network Intrusion
  4. Provide a name and description (eg. Name: IPS-tutorial)
  5. Click Automatic mode for Talos Ruleset Version selection
  6. In Automatic mode, select how many days to delay the deployment by, after the ruleset version is published by Valtix.
  7. Hover mouse over Balanaced in the Profile Builder panel and click on the "+" sign.
  8. Click Save

Step 2: Attach IPS Profile to Policy

  1. Click Manage -> Security Policy -> Rules
  2. Find the Ruleset name that's associated with the Ingress Gateway
  3. Click the Ruleset name
  4. In previous section, we created rule {{ no such element: dict object['rule'] }}. Click on the table row for {{ no such element: dict object['rule'] }} and click Edit
  5. In the Profiles section, select IPS-tutorial for Network Intrusion.
  6. Click Save

Step 3: Traffic test

To test IPS initial a connection from your laptop to download a zip file from the spoke-vm through the Valtix Gateway.

  1. In previous step, we have created a policy to protect spoke-vm. Generate a file in the spoke-vm in /home/centos/html. dd if=/dev/zero of=/home/centos/html/test_file.dat bs=1M count=24
  2. Zip the file that was generated. zip /home/centos/html/ test_file.dat
  3. From your laptop, download the zip file by opening a browser and type https://<Valtix Gateway endpoint>/ in URL
  4. Navigate to Investigate -> Flow Analytics -> Traffic Summary.
  5. Click on the Logs tab.
  6. Your session is shown there. Below are few things that will be logged.
    • Under the URI column, you will see "/"
    • Total Threats is 1.
  7. Navigate to Investigate -> Flow Analytics -> Network Threats
  8. You will see an entry related to download of the zip file and Action is LOG.