vADC Forum

Reply
Visitor
Posts: 1
Registered: ‎07-27-2017

Intrusion Detection \ Prevention System with vTM

Hi

I'm using vTM 17.3 (with WAF enabled).

Is there a way to configure vTM as IDS/IPS (intrusion detection / prevention systems) ?

if not, what other options do i have to protect my system from intrusion?

 

regards

Brocadian
Posts: 23
Registered: ‎05-22-2015

Re: Intrusion Detection \ Prevention System with vTM

Hi Yarix,

 

A WAF works differently to IDS/IPS systems. An IDS can have rules to detect attacks at various layers of the OSI stack, and for various applications. They typically sit on the network (in-line or on a span port) and monitor all traffic through the network. A WAF on the other hand sits in-line with your webservers and looks specifically at application layer attacks against webservices.

 

The vTM WAF can be configured in either detection (IDS like) or potection (IPS like) mode, where it will either just alert you to attacks or actively prevent them. The minimal configuration you need to get IPS like protection for your web services would be:

 

  • Install the WAF in vTM under System -> Application Firewall
  • The in the WAF:
    • Creat a policy and perform application mapping of your hosts
    • Apply the baselines using the wizard.
  • Enable the WAF for your HTTP vservers.
  • TEST TEST TEST

The WAF will be running in "detection" mode by default, once you are happy that you don't have any false positives then you can log back in to the WAF UI and switch into "protection" mode.

 

You can also use vTM to protect other services by writing custom TrafficScript rules. For example you could protect APIs by making use of the built in XML validation, or you could write rate shaping rules to limit brute force login attempts against any service.

 

If you're feeling adventurous, then there is also an article kicking around somewhere which describes how to import SNORT IDS rules for use in vTM. https://web.archive.org/web/20100917074840/http://knowledgehub.zeus.com:80/articles/2007/12/20/converting_snort_rules_to_trafficscript

 

Cheers,

Mark

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.