UniFi Gateway - Intrusion Detection and Prevention (IDS/IPS)
UniFi's Intrusion Prevention and Detection system (IDS/IPS) is a critical components designed to enhance your network security. This systems serves as a frontline defense, identifying and mitigating threats before they can cause harm.
What is Intrusion Detection and Prevention?
- Intrusion Detection System (IDS): Monitors network traffic for suspicious activity and alerts administrators.
- Intrusion Prevention System (IPS): Similar to IDS but also takes proactive steps to block detected threats.
Why are IPS and IDS Important?
- Threat Detection & Prevention: Identifies malicious traffic, preventing potential damage. Real-time signature updates ensure you are protected against new and evolving threats.
- Continuous Monitoring & Analytics: Provides detailed logs of security events to better understand network trends.
- Compliance: Helps meet security standards and regulatory requirements (PCI-DSS, HIPAA, etc).
What are Threat Signatures?
IDS/IPS works by scanning network traffic for patterns, known as signatures, that indicate known threats. Deep Packet Inspection (DPI) is used to thoroughly examine the contents of data packets at various layers of network communication:
- Layer 3 (Network Layer): IP addresses
- Layer 4 (Transport Layer): Ports and protocols
- Layer 7 (Application Layer): Application payloads
A signature’s matching characteristic may consist of various elements from one or multiple layers, either within a single packet, or multiple packets throughout a communication session. For example, a given signature might look for multiple packets of a specified size being sent from a particular IP address over a specific port.
UniFi has thousands of signatures, each grouped into distinct threat categories so you can flexibly configure your network to best meet your organizational goals.
Configuring IDS/IPS
To configure IDS/IPS, follow these steps:
- Navigate to Network Settings > Security > Protection.
- Toggle on Intrusion Prevention.
- Select the networks you wish to apply IPS/IDS to
- Configure the Detection Mode as Notify (IDS) or Notify and Block (IPS)
- Select the Active Detections you want to apply.
Expanding Threat Signatures with CyberSecure
CyberSecure is a per-site subscription available that greatly extends the size of UniFi's threat signature database used by Intrusion Detection and Prevention. View the CyberSecure article for more information.
Responding to a Detection
When a threat is detected, both IPS and IDS will generate email and mobile push alerts. However, IPS will also block the detected threats automatically.
-
View Detections:
- Check detections in the System Log located at System Log > Security Detection or the Inspection tab located at Insights > Inspection.
-
Recognize Important Alert Details:
- Identify the affected client, threat source IP, protocol, signature, threat category, date/time, and any other relevant information or descriptions.
-
Verify the Threat Details:
- Research the Threat Signature: Look for analyses from cybersecurity researchers, or other reputable cybersecurity databases and forums for more detailed information and community insights about the threat.
- Determine Expected Traffic: Based on who/what the IP address belongs to, determine if this is expected traffic, and thus likely false positive. Note: Media and gaming traffic are common contributors to false positives
- Check the Affected Client: Check the affected client to see if there are obvious signs of it being compromised, such as slowness, lack of responsiveness, or unwanted pop-ups.
- Confirm OS Relevance: If the signature is associated with a particular operating system (OS), confirm if your device runs that OS. If not, it's likely a false positive.
-
Respond Accordingly:
- Block Connection: Blocks the connection between the specific source and destination by automatically generating a Firewall Rule.
- Block Source IP: Blocks all traffic from the source of the threat by automatically generating a Firewall Rule.
- Allow Signature: Prevents the associated signature from triggering IPS/IDS by adding it to the Signature Suppression table located in Settings > Security > Intrusion Prevention.
- Exclude Source IP: Prevents the source IP from triggering IPS/IDS by adding it to the Security Detection Allow List located in Settings > Security > Intrusion Prevention.
Testing IDS/IPS
To test IDS/IPS, follow these steps:
-
Set Detection Sensitivity to High
- Note: This is needed to enable the “Trojan” threat category associated with the test signature.
- Open a terminal or command prompt on a client connected to the UniFi network.
-
Run the following test command:
curl -A "BlackSun" http://www.example.com
-
Check System Log > Security Detection for the alert.
Note: The alert may take a moment before appearing.
FAQs
Does UniFi have real-time signature updates?
What is the Advanced Information shown for each signature?
What the risk shown for each signature?
Does enabling Intrusion Prevention affect speed or performance?
Enabling this increases CPU and memory utilization. As a result, we set limits on the quantity of networks it can be simultaneously applied to.
Since traffic is being actively inspected, maximum routing performance may be reduced. See techspecs.ui.com for more information.
Is my information private?
Yes, UniFi ensures that your information is kept private and secure. The only data retained is that of the attacker's IP address to ensure our threat database remains up-to-date.
Note: When security detections are triggered, certain metadata including timestamps, IP addresses, ports, protocols and signatures temporarily pass through an encrypted communication channel with our cloud before it is ultimately deleted.