Distributed Intrusion Detection and Prevention Service (IDS/IPS) monitors network traffic on the host for suspicious activity.
Signatures can be enabled based on severity. A higher severity score indicates an increased risk associated with the intrusion event. Severity is determined based on the following:
- Severity specified in the signature itself
- CVSS (Common Vulnerability Scoring System) score specified in the signature
- Type-rating associated with the classification type
IDS detects intrusion attempts based on already known malicious instruction sequences. The detected patterns in the IDS are known as signatures. You can set a specific signature alert/drop/reject actions globally, or by profile.
| Action | Description |
|---|---|
| Alert | An alert is generated and no automatic preventive action is taken. |
| Drop | An alert is generated and the offending packets are dropped. |
| Reject | An alert is generated and the offending packets are dropped. For TCP flows, a TCP reset packet is generated by IDS and sent to the source and destination of the connection. For other protocols, an ICMP-error packet is sent to the source and destination of the connection. |
Note: Do not enable Distributed Intrusion Detection and Prevention Service (IDS/IPS) in an environment that is using Distributed Load Balancer.
NSX-T Data Center does not support using IDS/IPS with a Distributed Load Balancer.
Distributed IDS/IPS Configuration:
- Enable IDS/IPS on hosts, download latest signature set, and configure signature settings. Distributed IDS/IPS Settings and Signatures
- Create IDS/IPS profiles. Distributed IDS/IPS Profiles
- Create IDS/IPS rules. Distributed IDS/IPS Rules
- Verify IDS/IPS status on hosts.
