Managing the Intrusion Prevention system
Kaspersky IoT Secure Gateway 1000 allows you to detect and prevent suspicious network activity in network traffic on internal and external interfaces using an Intrusion Prevention System (IPS component). Intrusion Prevention rules are applied when analyzing traffic.
An Intrusion Detection rule describes a traffic anomaly that could be a sign of an intrusion into the protected infrastructure of an enterprise. Rules contain the conditions that the Intrusion Prevention system uses to analyze traffic and detect signs of the most frequently encountered attacks or suspicious network activity. Intrusion Prevention rules are provided by Kaspersky and are stored in Kaspersky IoT Secure Gateway 1000. They are available immediately after Kaspersky IoT Secure Gateway 1000 is installed.
Kaspersky IoT Secure Gateway 1000 generates a list of denied IP addresses based on traffic analysis using intrusion prevention rules. The list of denied IP addresses contains the internal network's and external network's IP addresses whose network traffic is blocked by Kaspersky IoT Secure Gateway 1000. Kaspersky IoT Secure Gateway 1000 removes a blocked IP address from the list of denied IP addresses one hour after suspicious activity from this IP address ends.
If the Intrusion Prevention System and the list of denied IP addresses are enabled and a rule is triggered, Kaspersky IoT Secure Gateway 1000 automatically blocks traffic from the IP address showing suspicious network activity, registers a security event and writes it to the network security log.
If the Intrusion Prevention System is enabled but the list of denied IP addresses is disabled and a rule is triggered, Kaspersky IoT Secure Gateway 1000 does not block traffic from the IP address showing suspicious network activity but registers a security event and writes it to the network security log.
If the Intrusion Prevention System is disabled, Kaspersky IoT Secure Gateway 1000 does not analyze suspicious network activity.
The list of allowed IP addresses contains the internal network's and external network's IP addresses whose network traffic is not blocked by Kaspersky IoT Secure Gateway 1000. You can add IP addresses of the devices whose traffic should be allowed to the authorized list. If necessary, you can also remove IP addresses of devices from the authorized list.
