Administrator's Guide - Kerio Software Archive

Firewall and Intrusion Prevention System
• Log — detected intrusion will be only recorded in the Security log,
• No action — the detected intrusion will be ignored.
Default and recommended settings for individual intrusion severity levels:
• High severity → Log and drop,
• Medium severity → Log,
• Low severity → No action (in case that there is a suspicion of too many false alarm
cases, see also Advanced settings).
Functionality of the intrusion prevention system can be tested by clicking on the link on
a special web page on one of the Kerio Technologies servers. Upon startup of the test,
three fake harmless intrusions of high, middle and low severity will be sent to the client’s
address (i.e. to the IP address of your firewall). The test script then evaluates whether the
firewall let the intrusion attempts in or blocked them. The Security log will also include
three corresponding records informing of whether the firewall blocked, only logged or
ignored the intrusions (for details, see chapter 22.11).
Note: This test is designed only for purposes of the intrusion prevention system built in
Kerio Control. It cannot be used for testing of other IDS/IPS.
Use of known intruders databases (blacklists)
In addition to detection of known intrusion types, it is also possible to detect and block
traffic from IP addresses listed in web databases of known intruders (so called blacklists).
In this case, all traffic from the IP address is logged and possibly blocked. Such
method of detection and blocking of intruders is much faster and also less demanding
than detection of individual intrusion types. However, there are also some disadvantages
of this method. Blacklists cannot include IP addresses of all possible intruders as the
intruders often use fake addresses. Blacklist also may include IP addresses of legitimate
clients or servers. Therefore, it is possible to set the same actions for blacklists as for
detected intrusions:
• Log and drop — information about the detected traffic and blocked IP address
will be recorded in the Security log and any network traffic from that IP address
will be blocked.
• Log — information about the detected traffic and blocked IP address will be only
recorded in the Security log,
• No action — the detected blacklisted IP address will not be considered as an
intruder.
Note: Kerio Control does not include the option of custom blacklist adding.
Update of intrusions and known intruders databases
For correct functionality of the intrusion detection system, it is necessary to update
databases of known intrusions and intruder IP addresses regularly. Kerio Control allows
to set an interval for regular automatic updates (the default value is 24 hours) and it is
also possible to perform an immediate update if needed (e.g. after a longer electricity
supply outage). Under usual circumstances there is no reason to disable automatic
updates — non-updated databases decrease effectivity of the intrusion prevention
114