What is IPS/IDS?

IPS stands for Intrusion Prevention/Detection System. These systems evaluate traffic against a signature set to alert and prevent potential security issues, grouped by the probable severity of a matching signature.

Suricata

There are several implementations, but we employ Suricata with the Emerging Threats GPL signature set to protect your network. These are updated every day to remain secure against new signatures as they are developed and detected. More details can be found at their website here, with the specific ruleset found here.

Performance

The Route10 handles all of this detection and prevention onboard the router itself while maintaining 10Gbps throughput for your legitimate traffic. 

Enabling IPS/IDS

From the management platform (https://manage.alta.inc), navigate to the site’s main Settings, then Firewall, and finally Intrusion Prevention.

Enable IPS/IDS to activate intrusion detection and prevention features.

When Inline Mode is enabled, traffic is inspected by the IDS engine before it is allowed to pass. This allows threats to be blocked immediately, rather than after detection occurs in non-inline mode. Inline Mode provides stronger protection but requires additional processing resources.

The Notification Level defines the minimum severity required to generate alerts or notifications. The Block Level defines the minimum severity required for traffic to be automatically blocked. It is generally recommended to keep the Notification Level and Block Level set to the same value.

The Block Duration setting determines how long detected threats will remain blocked, in hours. Fractional values are supported (for example, 0.5 equals 30 minutes). While a block is active, all traffic between the source and destination IP addresses will be denied. If no Block Duration is specified, only the individual detected threat attempt will be blocked.

Categories

The Categories section lets you choose which types of threats and suspicious activity the IDS/IPS engine should look for. These categories are grouped by value to help balance protection, system resource usage, and the likelihood of false positives. High-value categories cover common, higher-risk threats such as malware, exploits, DNS attacks, and attack responses. Medium- and low-value categories include broader or more specialized detections, such as phishing, reconnaissance activity, remote administration tools, adware, and web application traffic. Enabling more categories can improve visibility and protection, but it may also use additional system resources and increase the chance that legitimate traffic is flagged or blocked. Categories should be selected based on the security needs and traffic patterns of the network.

Hover over the “?” on each rule section to see a brief description of what the rule set covers.

Finally, you may specify which VLANs and associated subnets are subject to IPS monitoring. The default All option is generally recommended.

Note: Low has been removed from block levels, as it may generate superfluous alerts and protective actions for minor threat indicators. Many people would consider these false positives.

Monitoring Alerts

Click the notification bell icon next to your site’s name in the top right corner. Here, you will be able to review the alerts generated by the IPS feature. Use the trash bin icon to delete the IDS alert. The eye icon relates to the rules themselves and will stop matching and blocking traffic that matches this rule. If you have Block Duration set, you will have a 3rd stop sign icon.  Clicking this will unblock the IP pair that would otherwise be blocked for the entire block duration time frame

If you want to undo any changes to the alerts or blocking, use Reset Ignored Rules from the settings page above.