08-13-2017 09:05 AM
I'm using vTM 17.3 (with WAF enabled).
Is there a way to configure vTM as IDS/IPS (intrusion detection / prevention systems) ?
if not, what other options do i have to protect my system from intrusion?
08-30-2017 01:15 AM
A WAF works differently to IDS/IPS systems. An IDS can have rules to detect attacks at various layers of the OSI stack, and for various applications. They typically sit on the network (in-line or on a span port) and monitor all traffic through the network. A WAF on the other hand sits in-line with your webservers and looks specifically at application layer attacks against webservices.
The vTM WAF can be configured in either detection (IDS like) or potection (IPS like) mode, where it will either just alert you to attacks or actively prevent them. The minimal configuration you need to get IPS like protection for your web services would be:
The WAF will be running in "detection" mode by default, once you are happy that you don't have any false positives then you can log back in to the WAF UI and switch into "protection" mode.
You can also use vTM to protect other services by writing custom TrafficScript rules. For example you could protect APIs by making use of the built in XML validation, or you could write rate shaping rules to limit brute force login attempts against any service.
If you're feeling adventurous, then there is also an article kicking around somewhere which describes how to import SNORT IDS rules for use in vTM. https://web.archive.org/web/20100917074840/http://knowledgehub.zeus.com:80/articles/2007/12/20/converting_snort_rules_to_trafficscript