Network Intrusion¶
Network Intrusion Prevention System(IPS) or sometimes known as Intrusion Detection System(IDS) provides deep packet inspection on traffic for known and zero-day vulnerability exploits.
The Valtix Network Intrusion engine leverages a TALOS database, the commercially managed version of Snort. Updates to the network intrusion database are available with a threat package subscription.
Step 1: Create IPS Profile¶
- Navigate to Manage -> Profiles -> Network Threats
- Click Create Intrusion Profile
- Select Network Intrusion
- Provide a name and description (eg. Name: IPS-tutorial)
- Click Automatic mode for Talos Ruleset Version selection
- In Automatic mode, select how many days to delay the deployment by, after the ruleset version is published by Valtix.
- Hover mouse over Balanaced in the Profile Builder panel and click on the "+" sign.
- Click Save
Step 2: Attach IPS Profile to Policy¶
- Click Manage -> Security Policy -> Rules
- Find the Ruleset name that's associated with the Ingress Gateway
- Click the Ruleset name
- In previous section, we created rule {{ no such element: dict object['rule'] }}. Click on the table row for {{ no such element: dict object['rule'] }} and click Edit
- In the Profiles section, select IPS-tutorial for Network Intrusion.
- Click Save
Step 3: Traffic test¶
To test IPS initial a connection from spoke-vm to download a zip file.
- In previous step, we have created a policy to protect spoke-vm. Login to the spoke-vm
- In the spoke-vm, download the zip file from github.
wget --no-check-certificate https://github.com/valtix-security/tutorials/blob/main/test.zip - Navigate to Investigate -> Flow Analytics -> Traffic Summary.
- Click on the Logs tab.
- Your session is shown there. Below are few things that will be logged.
- Under the URI column, you will see "/test.zip"
- Total Threats is 1.
- Navigate to Investigate -> Flow Analytics -> Network Threats
- You will see an entry related to download of the zip file and Action is LOG.