Intrusion Prevention System (IDS/IPS)

Zentyal integrates Snort [2], one of the most popular IDS, available for both Windows and Linux systems and Suricata [3] as the IPS solution.

[2]http://www.snort.org
[3]http://www.openinfosecfoundation.org/

Configuring an IDS/IPS with Zentyal

Configuration of the IDS/IPS System in Zentyal is very easy. First, you have to specify which network interfaces you need IDS/IPS to listen on. After this, you can choose different groups of filters that will be applied to the captured traffic in order to detect suspicious activity.

You can access both configuration options through the IDS/IPS menu. In this section, on the Interfaces tab, a table with all the configured network interfaces will appear. All of them are disabled by default due to the increased network latency and CPU consumption caused by the inspection of the traffic. However, you can enable any of them by clicking on the checkbox.

_images/ids-01-interfaces.png

Network interface configuration for IDS

In the Rules tab you have a table preloaded with all the Snort rulesets installed on your system. A typical set of rules is enabled by default. From this interface you can choose if you want to just Log (Default), or Block or Log & Block the source of the suspicious traffic.

You can save CPU time disabling those rules you are not interested in, for example, those related to services not available in your network. If you have extra hardware resources you can also enable additional rules.

_images/ids-02-rules.png

Logging and blocking scan attempts

IDS/IPS Alerts

The IDS/IPS module is integrated with the Zentyal logs module so if the latter is enabled, you can query the different IDS alerts using the usual procedure. Similarly, you can configure an event for any of these alerts to notify the systems administrator.

_images/ids_logs.png

Logging and blocking scan attempts (nmap)

For additional information, see the Logs chapter.