*** Defense System (Intrusion Prevention System) is an effective complement to anti-virus software and firewalls. IPS can monitor abnormal information in the network, and can instantly interrupt, stop, alarms abnormal network behavior inside and outside the network.
In WFilter NGF, we have integrated defense system based on snort of ***, the main function of the system can achieve the following three aspects:
Protects the internal network of web servers, file servers, mail servers.
*** detect network terminal and malicious software.
Network behavior anomaly detection network terminal.
In this article, I briefly introduce how to realize the function of these three areas.
1. Protection of internal network server
Enterprises within the LAN, there are a variety of services ERP, CRM, OA and other Web servers, file servers, mail servers and so on. Some services are published to the Internet, easily ***. In the WSG "*** test", open "system vulnerabilities ***" and "server vulnerability ***" option, it can effectively detect *** on the server. As shown below:
*** external network, can set the "log and block IP 10 minutes," so that the external network upon detecting *** ip immediately connected to the prohibition, thereby preventing its subsequent *** behavior. *** internal network, you can log and record alarm events for later examined and verified.
2. Detection of the terminal within the network and malware ***
*** rampant viruses and software, will lead to a large number of toxic machine and mining machine within the LAN. For network administrators who will have to poison killing these machines and mining machine is definitely not an easy thing. From a technical perspective, these programs *** there will certain network features, it can be detected *** locate these network features. NM prior art can be positioned to the terminal by detecting ***, then to the terminal up process. Figure:
3. The network behavior anomaly detection network terminal
This feature is intended for custom detection script to detect a number of personalized content. For example, it is necessary to detect an IP network to access the event. Can add custom regular manner, as shown below:
Format custom rule: alert tcp $ HOME_NET any -> 120.55.165.132 22 (msg: "SSH attempt"; sid: 1000003; rev: 1;)
Means: local (HOME_NET) of any port (any) to tcp 22 port will trigger named "SSH attempt" *** The detection of events 120.55.165.132.
To sum up, "*** defense" is very powerful, good use of the module, can effectively protect the internal network security, network detection of toxic machine and mining machine. If you can write your own strategy, you can achieve more powerful detection.