Intrusion Prevention
The Intrusion Prevention module protects computers from being exploited by attacks against known and zero-day vulnerability attacks as well as against SQL injections attacks, cross-site scripting attacks, and other web application vulnerabilities. Shields vulnerabilities until code fixes can be completed. It identifies malicious software accessing the network and increases visibility into, or control over, applications accessing the network.
Intrusion Prevention prevents attacks by detecting malicious instructions in network traffic and dropping relevant packets.
Intrusion Prevention can be used for the following functions:
- Virtual patching: Intrusion Prevention rules can drop traffic designed to leverage unpatched vulnerabilities in certain applications or the operating system itself. This protects the host while awaiting the application of the relevant patches.
- Protocol hygiene: This detects and blocks traffic with malicious instructions.
- Application control: This control can be used to block traffic associated with specific applications like Skype or file-sharing utilities.
Basic configuration
To enable Intrusion Prevention functionality on a computer:
- In the Policy/Computer editor, go to Intrusion Prevention > General
- Select On , and then click Save
Inline vs. Tap Mode
The Intrusion Prevention module uses the Vulnerability ProtectionDeep Security Network Engine which can operate in one of two modes:
- Inline: Live packet streams pass directly through the Vulnerability ProtectionDeep Security network engine. All rules, therefore are applied to the network traffic before they proceed up the protocol stack.
- Tap Mode: Live packet streams are replicated and diverted from the main stream.
In Tap Mode, the live stream is not modified. All operations are performed on the replicated stream. When in Tap Mode, Vulnerability ProtectionDeep Security offers no protection beyond providing a record of Events.
To switch between Inline and Tap mode, open a Policy or Computer Editor and go to Settings > Network Engine > Network Engine Mode.
Prevent vs Detect
There are two additional options that are available if Vulnerability ProtectionDeep Security Network Engine is in Inline mode:
- Prevent: Intrusion Prevention rules are applied to traffic and related log events are generated.
- Detect: Intrusion Prevention rules are still triggered and Events are generated but traffic is not affected. You should always test new Intrusion Prevention settings and rules in Detect mode to make sure that possible false positives will not interrupt service on your computers. Once you are satisfied that no false positives are being triggered (by monitoring Intrusion Prevention Events for a period of time), you can switch over to Prevent mode.
Individual Intrusion Prevention Rules can be applied in detect-only or prevent mode as well. When applying any new Intrusion Prevention Rule, it's a good idea to run it for a period of time detect-only mode to make sure it won't interfere with legitimate traffic. Some Rules issued by Trend Micro are set to detect-only by default. For example, mail client Intrusion Prevention Rules are generally detect-only since they will block the download of all subsequent mail. Some Rules only trigger if a condition occurs a large number times, or a certain number of times over a certain period and so the individual condition shouldn't be prevented but an alert is raised if the condition recurs. And some Rules are simply susceptible to false positives. These Rules will be shipped in detect-only mode by default and it is up to you to determine if you wish to switch them to prevent mode after having observed that no false positives are being triggered.
NSX Security Tags
Deep Security can apply NSX Security Tags to protected VMs upon detecting a malware threat. NSX Security Tags can be used with NSX Service Composer to automate certain tasks, such as quarantining infected VMs. Consult your VMware NSX documentation for more information on NSX Security Tags and dynamic NSX Security Group assignment.
The Anti-Malware and Intrusion Prevention System protection modules can be configured to apply NSX Security Tags.
To configure the Intrusion Prevention module to apply NSX Security Tags, go to Computer/Policy Editor > Intrusion Prevention > Advanced > NSX Security Tagging.
Intrusion Prevention Events have a severity level that is determined by the severity level of the Intrusion Prevention Rule that caused it.
Intrusion Prevention Rule severity levels map to NSX tags as follows:
| IPS Rule Severity | NSX Security Tag |
|---|---|
| Critical | IDS_IPS.threat=high |
| High | IDS_IPS.threat=high |
| Medium | IDS_IPS.threat=medium |
| Low | IDS_IPS.threat=low |
You can configure the sensitivity of the tagging mechanism by specifying the minimum Intrusion Prevention severity level that will cause an NSX security tag to be applied to a VM.
The options for the Minimum rule severity to trigger application of an NSX Security Tag setting are:
- Default (No Tagging): No NSX tag is applied.
- Critical: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Critical is triggered.
- High: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of High or Critical is triggered.
- Medium: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Medium, High, or Critical is triggered.
- Low: An NSX tag is applied to the VM if an Intrusion Prevention Rule with a severity level of Low, Medium, High, or Critical is triggered.
Separate settings are provided for Rules that are operating in Prevent mode and for Rules that operating in Detect-only mode.