MetaFlows now supports Intrusion Prevention. Our design team has modified pfring so that subscribers can deploy sensors inline. Inline pfring runs at high-performance speeds. Customers should not have any performance issues at all on any Gigabit network.
With Soft IPS, MetaFlows customers can turn any off-the-shelf hardware into a high-speed intrusion prevention system that blocks torrents.
To deploy inline customers will need at least 2 hardware interface on the box and specify a third interface for management (could be virtual). Configure the sensor through the sensor configuration page and restart the sensor. To start blocking things, just click on any of the snort rules on the rule management interface, save and reload the rules. It’s that easy to set up a high-performance IPS system.
For customers who do not want to deploy inline, the MetaFlows Design Team also developed an active response system that lets subscribers disrupt TCP (and sometimes UDP) sessions with a sensor deployed as a passive device. It works great for enforcing network usage policies associated with particular snort rules (like Bittorrent, drop-box, etc.) or simply to block particular hosts that should not be on the network. The active response mechanism works by injecting spoofed TCP reset packets into the network (and other things). Every time something is blocked, log message associated with that action will appear in the MetaFlows interface. In order for the passive response system to actually actively block, subscribers will need to modify the sensor configuration and enable the “Isolate” checkbox. Leaving the checkbox off will only simulate the actions and log what it wold have blocked.
Whether inline or as a active response, the default block rules are not turned on. It is up to the customer to decide what should be blocked.
For answers to any questions about the Isolate Plugin or Soft IPS, please contact the MetaFlows Design Team at email@example.com.