Firewall
154
Warning
The list of network ports can be freely edited, however adding network ports used by
services running on the CyberGuard SG appliance (such as telnet) may compromise the
security of the device and your network. It is strongly recommended that you use the pre-
defined lists of network ports only.
Advanced Intrusion Detection and Prevention (Snort and IPS)
Advanced Intrusion Detection and Prevention is based on two variants of the tried and
tested intrusion detection and prevention system Snort v2.
Snort in IDS (Intrusion Detection System) mode resides in front of the firewall, and
detects and logs a very wide range of attacks. Snort in IPS (Intrusion Prevention
System) mode resides behind the firewall, and detects and blocks a wide range of
attacks.
The primary advantage of running Snort IDS (Snort) in front of the firewall is that it sees
unfiltered network traffic, and therefore be able to detect a wider range of attacks. The
primary advantage of running Snort IPS (IPS) behind the firewall is that suspicious
network traffic can be disallowed, rather than simply flagged as suspicious and allowed
and pass.
Snort uses a combination of methods to perform extensive network traffic analysis on the
fly. These include protocol analysis, inconsistency detection, historical analysis and rule
based inspection engines. Snort can detect many attacks by checking destination port
number, TCP flags and doing a simple search through the packet’s data payload. Rules
can be quite complex, allowing a trigger if one criterion matches but another fails and so
on. Snort can also detect malformed network packets and protocol anomalies.
Snort can detect attacks and probes such as buffer overflows, stealth port scans, CGI
attacks, NetBIOS SMB probes, OS finger printing attempts and many other common and
not so common exploits.
You may use Snort is IDS and IPS mode simultaneously if you choose, however it
consumes a lot of the CyberGuard SG appliance’s memory.
Snort and IPS configuration
Select Intrusion Detection from the Firewall section of the main menu, and click the
Snort tab to configure Snort in IDS mode, or IPS to configure Snort in IPS mode. The
fields displayed
To Next Page
Loading...
Need help?
General
