KEMP Intrusion Protection (IPS)

There are a number of important things to note about how the KEMP LoadMaster implements the Intrusion Prevention System (IPS):
  • It can only be applied to HTTP and HTTPS with SSL Offloading enabled.
  • Although KEMP accepts rules in the Snort syntax, it is a custom IPS engine that implements the rules. KEMP does not use the Snort IPS engine itself.
  • The IPS uses the main system log so there are no specific "IPS" logs. These logs can be streamed to a central logging system via syslog.
  • Rules must be uploaded and updated manually.
  • Here is an example log entry of a detected malicious request:
    Detect: Unusual URL [192.168.11.15:47014->192.168.11.5:80] '/ibfs32.dll' - WEB-CLIENT Adobe Premier Pro ibfs32.dll dll-load exploit attempt (sid:18529 rev:1)

It should be noted that this IPS is not meant to replace a full network IPS. KEMP also have a much more complete security offering - a Web Application Firewall (WAF) component. This is probably more suitable for most Application Security requirements than the legacy IPS feature. Find out more about KEMP's Web Application Firewall feature here: KEMP Web Application Firewall Pack (AFP).

Was this article helpful?

0 out of 0 found this helpful

Comments